Skip to main content

Email encryption flaw gives hackers full access to your secret messages

Researchers at the Munster University of Applied Sciences discovered vulnerabilities in the Pretty Good Protection (PGP) and S/MIME technologies used to encrypt email. The problem resides in how email clients use these plug-ins to decrypt HTML-based emails. Individuals and companies are encouraged to disable PGP and/or S/MIME in their email clients for now and use a separate application for message encryption. 

Called EFAIL, the vulnerability abuses “active” content rendered within HTML-based emails, such as images, page styles, and other non-text content stored on a remote server. To successfully carry out an attack, the hacker must first have the encrypted email in possession, whether it’s through eavesdropping, hacking into an email server, and so on. 

Recommended Videos

The first attack method is called “Direct Exfiltration” and abuses vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird. An attacker creates an HTML-based email comprising of three parts: the start of an image request tag, the “stolen” PGP or S/MIME ciphertext, and the end of an image request tag. The attacker then sends this revised email to the victim. 

On the victim’s end, the email client first decrypts the second part and then combines all three into one email. It then converts everything into an URL form starting with the hacker’s address and sends a request to that URL to retrieve the nonexistent image. The hacker receives the image request, which contains the entire decrypted message. 

The second method is called the “CBC/CFB Gadget Attack,” which resides within the PGP and S/MIME specifications, affecting all email clients. In this case, the attacker locates the first block of encrypted plaintext in the stolen email and adds a fake block filled with zeroes. The attacker then injects image tags into the encrypted plaintext, creating a single encrypted body part. When the victim’s client opens the message, the plaintext is exposed to the hacker. 

Ultimately, if you don’t use PGP or S/MIME for email encryption, then there’s nothing to worry about. But individuals, companies, and corporations who use these technologies on a daily basis are advised to disable related plugins and use a third-party client to encrypt emails, such as Signal (iOS, Android). And because EFAIL relies on HTML-based emails, disabling HTML rendering is also advised for now. 

“This vulnerability might be used to decrypt the contents of encrypted emails sent in the past. Having used PGP since 1993, this sounds baaad (sic),” F-Secure’s Mikko Hypponen wrote in a tweet. He later said that people use encryption for a reason: Business secrets, confidential information, and more.  

According to the researchers, “some” email client developers are already working on patches that either eliminates EFAIL altogether or makes the exploits harder to accomplish. They say the PGP and S/MIME standards need an update, but that “will take some time.” The full technical paper can be read here. 

The problem was first leaked by the Süddeutschen Zeitun newspaper prior to the scheduled news embargo. After the EFF contacted the researchers to confirm the vulnerabilities, the researchers were forced to release the technical paper prematurely.

Please enable Javascript to view this content

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
I spent $3,000 on a PC only to play a $20 game. I have zero regrets
A screenshot of Spelunky 2.

Building a PC is an exciting thing, but it's also pretty expensive. Ah, what am I saying -- let's not beat around the bush here. It's really expensive. With the prices of the best graphics cards higher than they've been in years, getting yourself a gaming rig is pricey even if you go down the budget route -- but it gets worse if you want a more powerful PC.

Still, it's entirely possible to build a good computer on a budget. The problem is that you'll often talk yourself into spending more than you need to. That's probably how I ended up spending $3,000 on a PC that's mostly used for playing a $20 game.

Read more
I finally found the perfect mechanical keyboard to go with my Mac, and it’s a lot cheaper
Angled view of a person typing on the Satechi SM3 Slim mechanical keyboard.

My experience with Apple’s Magic Keyboard for the Mac has been a love-hate situation, at best. It is slim, sleek, offers a fantastic scissor-switch, and serves the Touch ID convenience. What’s not to love? 

Well, for starters, the asking price is a steep $200, which is too much for a non-mechanical keyboard. There is no backlight. It is not ergonomic. The looks, though understated, are bland.  

Read more
Watch this PC modder turn an Intel heatspreader into the coolest water block ever
Intel CPUs with CNC-machined heat-spreaders for waterbook cooling experiment

In one of the most inventive PC mods we've seen this year, Chinese YouTuber octppus has pulled off a wild engineering feat by transforming the heatspreader (IHS) of an Intel Core i9-14900KS into a fully functioning water block.

Instead of strapping a conventional cooler onto the processor, the YouTuber took matters into his own hands (and his CNC machine). By precisely carving a network of microchannels directly into the CPU’s integrated IHS, he allowed coolant to flow right across the surface that matters most, the processor die itself. 

Read more